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Pawn Storm is an active cyber espionage actor group that has been very aggressive and ambitious in 
recent years. The group’s activities show that foreign and domestic espionage and influence on geopolitics 
are the group’s main motives, and not financial gain. Its main targets are armed forces, the defense 
industry, news media, politicians, and dissidents. 

We can trace activities of Pawn Storm back to 2004\ and before our initial report in 2014^ there wasn’t 
much published about this actor group. However, since then we have released more than a dozen 
detailed posts on Pawn Storm.^ This new report is an updated dissection of the group’s attacks and 
methodologies— something to help organizations gain a more comprehensive and current view of these 
processes and what can be done to defend against them. 

Pawn Storm is becoming increasingly relevant particularly because it is doing more than just espionage 
activities. In 2016, the group attempted to influence public opinion, to influence elections, and sought 
contact with mainstream media with some success. Now the impact of these malicious activities can 
be felt by various industries and enterprises operating throughout the world. Even average citizens of 
different countries might be affected as Pawn Storm tries to manipulate people’s opinions about domestic 
and international affairs. The attacks of Pawn Storm may even serve as an example for other actors, who 
could copy tactics and repurpose them to fit their own objectives. 

As we look at Pawn Storm’s operations over a two-year period, we can see how the group has become 
more adept at manipulating events and public opinion through the gathering and controlled release of 
information. Many events— like their involvement in the Democratic National Convention hack— have 
been covered extensively. The group’s cyber propaganda methods— using electronic means to influence 
opinion'*- creates problems on multiple levels. Aside from manipulating the public, their operations also 
discredit political figures and disrupt the established media. The proliferation of fake news and fake 
news accusations in 2017 can in part be attributed to constant information leaks and manipulations by 
malicious actors. Media sources have already confirmed that Pawn Storm offered them exclusive peeks at 
high-impact information, presumably in an attempt to skew public perception on a certain topic or person. 

In this paper, we take a deeper look at the facts we have compiled and delve into the variety of attacks 
that the group is using. Pawn Storm is known for its sophisticated social engineering lures, efficient 
credential phishing, zero days, a private exploit kit, an effective set of malware, false flag operations, and 
campaigns to influence the public opinion about political issues. 

At its core. Pawn Storm— also known as Sednit^, Fancy Bear, APT28®*', Sofacy, and STRONTIUM®— is still 
a persistent cyber espionage actor group. The actors often attack the same target from different sides, 
using multiple methods to reach their goals. It generally relies on practiced techniques, specifically when 
it comes to phishing. Credential phishing has been a key part of many compromises done by Pawn Storm 
in recent years and we were the first to describe them in detail from 2014 and onwards. 

We start this paper with a section on false flag operations and a rundown of Pawn Storm’s attempts 
to influence the public opinion. The second section focuses on different methods used to attack free 
and corporate webmail — mostly through sophisticated phishing tactics. The third section details Pawn 
Storm’s campaigns that we tracked over the years, and lists their intended targets. The next section 
covers their preferred attacks, facilitators, and also their attitude towards their own operational security. 
And lastly, we give some guidelines on how to defend against Pawn Storm. 
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Pawn Storm uses a variety of tactics to coiiect information from their identified targets— often through 
credentiai phishing. Some of the information is then ieaked on websites that are specificaiiy designed 
to dispiay stoien data. More than once Pawn Storm disguised itseif as “hacktivists” or whistiebiowers 
motivated by some agenda. 


Operating Under Alternative Fronts 

After Pawn Storm breached the Worid Anti-Doping Agency (WADA) and the Court of Arbitration for Sport 
(TAS-CAS) in 201 6, a group that caiis themseives the “Fancy Bears’ Hack team” posted medicai records 
of athietes on their website (security company CrowdStrike uses “Fancy Bear” to identify Pawn Storm 
actors). The hack team ciaims they stood for “fair piay and ciean sport”, however, in reaiity they ieaked 
confidentiai medical records that were very likely stolen by Pawn Storm. This move could be meant as 
retaliation against the decision of WADA to block several athletes from the Olympics in Rio de Janeiro, 
Brazil. It could also be meant to weaken the position of WADA and influence the public opinion of doping 
incidents. 

In 2015, US Army information was released on the site cyb3rc.com by a group calling itself the Cyber 
Caliphate. The group presented itself as pro-ISIS and suggested that they are an Islam-inspired terrorist 
group. In the same year. Cyber Caliphate claimed to have taken down the live broadcast of French TV 
station TVS for a number of hours. Pro-ISIS messages from the group also appeared on the Twitter and 
Facebook accounts of TVS. This was particularly painful for France, a country that was still in shock from 
terrorist attacks on the editors of Charlie Hebdo, a French satirical weekly magazine. However, it was later 
reported that the Cyber Caliphate was actually a front of Pawn Storm. 

French magazine L’Express shared indicators with us that clearly connected Cyber Caliphate to Pawn 
Storm, which French authorities later confirmed. The motives for the TVS attack are still unclear. Of course, 
it is also possible that this attack was the work of undisciplined Pawn Storm actors. Though the Pawn 
Storm actors normally work in a professional way, there have been a few other incidents where some 
Pawn Storm actors showed a lack of discipline. 
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Maneuvers Used Against Political Organizations 

In 2016 the Democratic National Committee (DNC) was allegedly hacked by Pawn Storm. Stolen emails 
were published by WikiLeaks and asitecalleddcleaks[.]com, a domain very likely controlled by Pawn Storm. 
After the DNC hack became public, a lone hacker called Guccifer 2.0 claimed responsibility. He claimed 
to be Romanian Gust like the real hacker Guccifer who was convicted in 2016 for compromising the email 
accounts of American business executives, political figures and celebrities), but while communicating 
with the press, it appeared that Guccifer 2.0 was not fluent in Romanian at all. 

A study of ThreatConnect® showed that Guccifer 2.0 approached news media and offered them exclusive 
access to password-protected parts of the dcleaks[.]com site. This specific site actually leaks email 
repositories taken from mainly US Pawn Storm targets that have been victimized by the group’s advanced 
Gmail credential phishing campaigns. We were able to collect a substantial amount of information on 
the Gmail credential phishing campaigns of Pawn Storm from 2014 onwards (as we discuss in the How 
Pawn Storm Attacks Free and Corporate Webmail section). This makes it very likely that Guccifer 2.0 is 
a creation of the Pawn Storm actor group. 

Meanwhile, WikiLeaks, which has dubbed itself a “multi-national media organization and associated 
library”, published emails from the DNC and the AK party of Turkish President Erdogan in 2016. We know 
that the DNC received a wave of aggressive credential phishing attacks from Pawn Storm in March and 
April 2016: during the campaign, dozens of politicians, DNC staff, speech writers, data analysts, former 
staff of the Obama campaign, staff of the Hillary Clinton campaign, and even corporate sponsors were 
targeted multiple times. Pawn Storm also used phishing campaigns against the Turkish government and 
parliament in early 2016. This makes it highly plausible that the emails published by WikiLeaks were 
originally stolen by the Pawn Storm actor group. 

Utilizing Mainstream Media 

There have been instances when Pawn Storm uses mainstream media to publicize their attacks and 
influence public opinion. Several media outlets have confirmed that they were offered exclusive access 
to data stolen by Pawn Storm. When the reputable German magazine Der Spiegel reported on doping in 
January 2017,^° Der Spiegel wrote they were in contact with the “Fancy Bear hackers” for months and that 
in December 2016 they received “several sets of data containing PDF and Word documents in addition to 
hundreds of internal emails from United States Anti-Doping Agency (USADA) and WADA, the World Anti- 
Doping Agency.” This is a clear example where Pawn Storm successfully contacted mainstream media to 
influence the public opinion about a political topic. 
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The reports on the Democratic Congressional Campaign Committee (DCCC) being compromised, 
published at end of July 2016, serve as another example. We discovered that the website was severely 
compromised more than five weeks before it became public. All donations meant for dccc.org were first 
redirected to a site that was under Pawn Storm’s control— this means that the actors had the opportunity 
to compromise donors of the Democratic Party. At the time of discovery, the compromise was about 
a week old and still live. We disclosed the compromise to US authorities responsibly and the problem 
was addressed quickly. We did not publish our findings as a public report could actually benefit Pawn 
Storm by highlighting their capabilities and also impact the US elections. But then more than five weeks 
later the compromise did make headlines. Pawn Storm possibly contacted mainstream media about the 
compromise and, just like in other cases, offered “exclusive” access to stolen information. 

Phishing and Things Pawn Storm Can Do with the Data 

In April and May 2016 Pawn Storm launched phishing campaigns against the German political party 
Christian Democratic Union (CDU) headed by Angela Merkel, which is also around the same time the 
group set up phishing sites against two German free webmail providers.” German authorities later 
confirmed that this attack was the work of Pawn Storm. However it is unknown if they were successful or 
not. No emails of CDU have been leaked yet, but in some instances Pawn Storm has waited for more than 
a year before it started to leak stolen data. The timed release of information is one way a threat actor can 
maximize the impact of their attack against a target. 

In early 2016, Pawn Storm also set up credential phishing sites that targeted ministries of the Turkish 
government and the Turkish parliament.^^ Another credential phishing site was set up to target the 
parliament of Montenegro in October 2016— this was likely the work of Pawn Storm as well. 

Pawn Storm has also probably leaked stolen information via cyber-berkut[.]org. This is the website of an 
actor group posing as an activist group with a particular interest in leaking documents from the Ukraine. 
The exact relation between Pawn Storm and CyberBerkut is unknown, but we have credible information 
that CyberBerkut has published information which was stolen during Pawn Storm’s credential phishing 
campaigns. Prior to leaking the information, parts of the documents and emails were allegedly altered. 

The authenticity of leaked data is generally not verified, allowing threat actors to alter the stolen data to 
their own benefit and present it as real and unaltered. By publishing carefully selected pieces of unaltered 
stolen data, threat actors can even more effectively influence public opinion in a way that is aligned with 
their interests. 
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The incidents mentioned above show Pawn Storm’s interest in influencing poiitics in different countries. 
This is not iimited to the presidentiai eiections in the US, but goes beyond that. Resourcefui threat actors 
such as Pawn Storm can sustain iong-term operations and ieverage different attacks that can iast for 
years— such as credentiai phishing. The next sections wiii detaii how credentiai phishing has been so 
effective for Pawn Storm. 
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Credential Phishing 

Credential phishing is an effective tool in espionage campaigns. A lot of internet users are trained by 
experience not to fall victim to phishing. They are trained to spot obvious grammar and spelling errors, 
uncommon domains in the phishing URLs and the absence of a secure, encrypted connection in the 
browser bar. However, professional actors have the resources to avoid simple mistakes and invent clever 
social engineering tactics. They send phishing emails in flawless English and other languages when 
needed, and they have no problem evading spam filters. 

Essentially, credential phishing attacks have become an effective and dangerous tool that can have 
severely damaging effects. In these attacks a huge amount of sensitive data might be stolen. Credential 
phishing also serves as the first step to penetrate deeper into the infrastructure of a target organization. 

Several attack scenarios are possible through credential phishing: 

• silent data gathering over an extended period of time— Pawn Storm being a prime example since 
our data tracks them silently collecting information for more than a year 

• compromised accounts are used to further penetrate into the network of a victim organization, for 
example by sending emails using stolen identities 

• leaking sensitive emails in order to cause harm to the victim organization and influence public 
opinion 

• domestic espionage on citizens of nations 
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Using these simple, but oftentimes well-prepared credential phishing attacks, a group can collect an 
enormous amount of data. Pawn Storm is doing all of the above. In 2016 the group is believed to have 
stolen information from the DNC, Hillary Clinton’s campaign team, and WADA. They also launched 
credential phishing attacks on numerous other organizations: armed forces, defense companies, media, 
and many others. 

It is very likely that from July 201 5 to August 201 6, Pawn Storm had access to the Gmail account of Colin 
Powell, former United States Secretary of State under the George Bush administration. In September 
2016, more than one year after the initial compromise, dcleaks[.]com posted several of his personal 
emails online. This was just one of the many examples where Pawn Storm leaked confidential information, 
and it shows that some of the compromises span a lengthy period. 

Russian citizens— journalists, software developers, politicians, researchers at universities, and artists— 
are also targeted by Pawn Storm. Several Russian media organizations (including mainstream media 
corporations) and foreign embassies in Moscow are common targets too. 

Pawn Storm has maintained long-running campaigns against high profile users of free international 
webmail providers like Yahoo and Gmail; as well as webmail providers for Ukrainian internet users (Ukr. 
net), and Russian users (Yandex and Mail.ru). Pawn Storm sets up phishing sites of other free webmail 
providers for very specific targets only. We found Pawn Storm phishing domains for relatively small 
webmail providers in Cyprus, Belgium, Italy, Norway, and other countries. Users of university webmail in 
Estonia and Russia were targeted as well. These were probably part of tailored attacks where Pawn Storm 
had very specific and high profile targets in mind. 

The credential phishing attacks against high profile Google, Yahoo and Ukr.net users are relatively 
voluminous. We were able to collect thousands of phishing emails since early 2015. It was not continuous. 
Pawn Storm sometimes paused activities, which they but then later on resumed. Some targets get multiple 
phishing emails in one week. 

Credential Phishing Attacks on Corporate Webmail 

Attacking corporate email makes a lot of sense for threat actors as email is one of the weakest points 
in the targets’ defense. In the last four years. Pawn Storm has launched numerous credential phishing 
attacks against the corporate email system of many organizations. Targets included armed forces, 
defense industry, political parties, NGOs, media, and governments around the world. Breaching corporate 
email accounts may lead threat actors to valuable, confidential data and it can be a stepping stone for 
penetrating deeper into the target organization. 
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Many organizations aiiow their empioyees to read emaii whiie they are out of the office. Whiie this greatiy 
enhances user convenience, webmaii introduces significant risks. Webmaii that can be accessed from 
anywhere introduces an attack surface that can be probed not oniy through direct hacking, but aiso 
by advanced sociai engineering. Whiie peopie might be used to iess sophisticated credentiai phishing 
emaiis, advanced actors have shown remarkabie creativity in their attacks and often they are fluent in 
foreign ianguages as weii. For some of the attacks, victims cannot be biamed for faiiing for the sociai 
engineering tricks. We have seen phishing iures that are aimost indistinguishabie from iegitimate emaiis. 
One of the sociai engineering iures makes use of a form of tabnabbing, which is discussed beiow. 

Here are some considerations on the security of webmaii: 

• Two-factor authentication improves security, but it doesn’t make sociai engineering impossibie. Aii 
temporary tokens can be phished by an attacker. 

• Even when two-factor authentication is used, an attacker oniy has to phish for the second 
authentication token one or two times to get semi-permanent access to a maiibox. They can set 
up a forwarding address or a token that aiiows third party appiications fuii access to the system. 

• Mandatory iogging in onto a company VPN network does raise the bar for an attacker. However, 
VPN credentiais can aiso be phished, and we’ve seen targeted attackers specificaiiy go after VPN 
access credentiais. 

• Authentication with a physicai security key makes credentiai phishing virtuaiiy impossibie uniess 
the attacker has physicai access to the equipment of the target. When a target uses a physicai 
security key, the attacker either has to find an expioit to get unauthorized access, or he has to get 
physicai access to the security key and the target’s iaptop. 

• To add to authentication methods that are based on what you know and what you have, one couid 
add authentication that is based on what you are: fingerprints or other biometric data. Biometrics 
have aiready been used by some iaptops and phone vendors, and have aiso been a common 
authentication method in datacenters for more than a decade. 
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Phishing Campaign Targets 

This section iists some of the organizations that were targeted by Pawn Storm with a campaign that was 
specificaiiy set up for them. In many cases, oniy very few empioyees of these organizations were targeted. 


Date 

Organization 

Phishing Domain 

Military 

12/12/13 

Chilean military 

mail.fach.rnil.cl 

05/15/14 

Armenian military 

mail. mil. am 

10/23/14 

Latvian military 

web.mailmil.lv 

02/25/15 

Romanian military 

fortele.ro 

03/25/15 

Danish military 

webmail-mil.dk 

03/26/15 

Portuguese military 

webmail.exerclto.pt 

05/13/15 

Greek military 

webmail-mil.gr 

09/04/15 

Danish military 

fkit-mil.dk 

09/05/15 

Saudi military 

mail.rsaf.qov.sa.com 

10/16/15 

United Arab Emirates army 

mailmil.ae 

10/19/15 

Kuwaiti military 

mail.kuwaitarmy.gov-kw.com 

10/21/15 

Romanian military 

mail-navy.ro 

03/04/16 

Bulgarian army 

mail .armf. bg. message-id866521 3.tk 

Ministry of Defense (MOD) 

01/23/14 

MOD Bulgaria 

mail.arnf.bg 

02/11/14 

MOD Poland 

poczta.mon.q0v.pl 

04/04/14 

MOD Hungary 

mail.hm.qov.hu 

04/30/14 

MOD Albania 

mod.qov.al 

05/22/14 

MOD Spain 

mail.mod.qov.es 

11/18/14 

MOD Afghanistan 

mail. mod. qov.af 

09/05/15 

MOD Saudi Arabia 

mail.moda.qov.sa.com 

02/19/16 

MOD Poland 

poczta.mon-gov.pl 

Ministry of Foreign Affairs (MFA) 

03/17/15 

MFA South Georgia 

email. mfa.qov.gs 

07/16/15 

MFA Armenia 

webmail-mfa.am 

10/02/15 

MFA United Arab Emirates 

webmail.mofa.qov.ae 

10/02/15 

MFA United Arab Emirates 

webmail.mfa.qov.ae 

12/10/15 

MFA Qatar 

mail.mofa.gOv.qa 
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Date 

Organization 

Phishing Domain 

Intelligence Units 

01/10/14 

National Security Bulgaria 

dansa.bg 

Defense Industry 

04/24/14 

Academi 

mail.academl.com 

04/24/14 

Boston Dynamics 

mail.bostondynamlcs.com 

08/11/14 

Science Applications International 
Corporation (SAIC) 

webmail-saic.com 

09/10/14 

Polski Holding Obronny 

mailpho.com 

Media 

11/01/14 

New York Times 

privacy-yahoo.com 

12/01/14 

New York Times 

link.candybober.info 

01/22/15 

Buzzfeed 

account.password-google.com 

06/22/15 

The Economist Intelligence Unit 

accounts.gOOqle.com 

08/24/15 

Sanoma Media 

mobile-sanoma.net 

02/24/16 

Hurriyet 

posta- h u rri yet . co m 

03/14/16 

Anadolu Agency 

anadolu-ajansi.com 

03/15/16 

Anadolu Agency 

mail.anadoluajansi.web.tr 

05/11/16 

Hurriyet 

webmail-hurriyet.com 

06/12/16 

Hurriyet 

mail-hurriyet.com 

11/14/16 

Al Jazeera 

acco u nt-alj azee ra. net 

11/14/16 

Al Jazeera 

ssset-aljazeera. net 

11/15/16 

Al Jazeera 

sset-aljazeera.net 

11/16/16 

Al Jazeera 

sset-aljazeera.com 

11/21/16 

Al Jazeera 

mail-aljazeera.net 

Political Parties 

03/01/15 

National Democratic Institute 

url.googlesetting.com 

04/01/15 

National Democratic Institute 

login.accoounts-google.com 

01/12/16 

Prime Minister Turkey 

e-post, byegm.web.tr 

01/12/16 

Prime Minister Turkey 

mail.byegm.web.tr 

02/01/16 

Prime Minister Turkey 

eposta.basbakanlik.qov.web.tr 

02/01/16 

Parliament Turkey 

e-posta.tbmm. qov.web.tr 

03/01/16 

Democratic Party US 

myaccount.google.com- 

securitysettingpage.gq 
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Date 

Organization 

Phishing Domain 

04/01/16 

Democratic Party US 

myaccount.google.com- 

changepasswordmyaccount- 

idx8jxcn4ufdmncudd.gq 

04/22/16 

CDU 

webmail-cdu.de 

05/06/16 

CDU 

support-cdu.de 

06/06/16 

Democratic Party US 

actblues.com 

10/20/16 

Parliament Montenegro 

mail-skupstina.me 

03/15/17 

Emmanuel Macron campaign 

onedrive-en-marche.fr 

04/05/17 

Konrad Adenauer Stiftung 

kasapp.de 

Religion 

06/19/15 

Orthodox Church America 

accounts.g00qle.com 

Academics 

03/04/16 

Tartu University 

mail. university-tartu. info 

09/13/16 

Baikal State University 

mail-isea.ru 

Government Agencies 

05/24/15 

Government of Montenegro 

mail-gov.me 

09/14/15 

Safety Board Netherlands 

vpn.onderzoekraad.nl 

09/28/15 

Safety Board Netherlands 

sftp.onderzoekraad.nl 

09/29/15 

Department of Civil Aviation 
Malaysia 

mail.dca.qov.my 

11/03/15 

Government of Montenegro 

mail.gOv.me 

Energy Sector 

12/10/14 

Westing House Nuclear 

webmail.westinqhousenuclear.com 

International Organisations 

06/18/14 

Organization for Security and Co- 
operation in Europe (OSCE) 

login-osce.org 

04/23/15 

Partnership for Peace Information 
Management System 

mail-pims.org 

08/03/16 

World Anti-Doping Agency 
(WADA) 

mail.wada-awa.org 

08/08/16 

World Anti-Doping Agency 
(WADA) 

inside.wada-arna.org 

08/08/16 

Tribunal Arbitral du Sport (TAS, 
Court of Arbitration for Sport) 

tas-cass.org 


Table 1 . List of targeted organizations and specific sites set up to target said entities 
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Tabnabbing in Credential Phishing 

Tabnabbing is a term that was originally introduced by researcher Aza RaskinJ'^ He describes the attack 
as follows: a URL in an open tab of the browser is changed to a phishing site when simple JavaScript 
detects that the user has moved on to another tab or is inactive for some time. When the target believes 
that the phishing site is the real login site of the internet service he was using, he might reenter his 
credentials on the phishing site. 

The trick exploits internet users’ habit of keeping several tabs open in their browser for an extended 
period of time. Many services like online banking require reentering credentials after a certain period of 
inactivity so the user might be familiar with this routine. 

Pawn Storm has been using a variant of tabnabbing.^® In this attack scenario, the target gets an email 
supposedly coming from a website he might be interested in — maybe from a conference he is likely to visit 
or a news site he has subscribed to. The email has a link to a URL that looks very legitimate. When the 
target reads his email and clicks on the link, it will open in a new tab. This new tab will show the legitimate 
website of a conference or news provider after being redirected from a site under the attackers’ control. 
The target is likely to spend some time browsing this legitimate site. Distracted, he probably did not notice 
that just before the redirection, a simple script was run, changing the original webmail tab to a phishing 
site. When the target has finished reading the news article or conference information on the legitimate site, 
he returns to the tab of his webmail. He is informed that his session has expired and the site needs his 
credentials again. He is then likely to reenter his password and give his credentials away to the attackers. 

This attack scenario is very simple and doesn’t require any exploit. Its success depends on good 
preparation by the attacker, but even experienced security researchers could fall for this social engineering 
trick, in particular when they are on the road and not paying attention to details. 

In Table 2 we show some examples of organizations that have been targeted with credential phishing 
attacks that made use of this tabnabbing trick. 


Target Organization 

Phishing domain 

Malicious Domain 
(Social Lure) 

Real Domain 

Academi 

mail.academl.com 

tolonevvs.com 

tolonews.com 

Armed forces Latvia 

mailmil.lv 

tusexpo2015.com 

tusexpo.com 

imperialconsult.com 

mail.imperialcOnsult.com 

skidkaturag.com 

skidkatur.com 

MOD Hungary 

mail.hm.gov.hu 

aadexpo201 4.co.za 

adexpo.co.za 

MOD Hungary 

mail.hm.gov.hu 

itec2014.co.uk 

itec.co.uk 

MOD Hungary 

mail.hm.gov.hu 

sofexjordan2014.com 

sofexjordan.com 
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Target Organization 

Phishing domain 

Maiicious Domain 
(Sociai Lure) 

Reai Domain 

MOD Hungary 

mail.hm.gov.hu 

eurosatory201 4.com 

eurosatory.com 

MOD Spain 

mail.mod.gov.es 

gdforum.net 

gdforum.org 

National Security 
Bulgaria 

mail.dansa.bg 

counterterorexpo.com 

counterterrorexpo.com 

National Security 
Bulgaria 

mail.dansa.bg 

novinitie.com 

novinite.com 

National Security 
Bulgaria 

mail.dansa.bg 

standartnevvs.com 

standartnews.com 

OSCE 

login-osce.org 

vice-news.com 

news.vice.com 

SAIC 

webmail-saic.com 

natoexhibitionff 1 4. com 

natoexhibition.org 

Yahoo users 

us6-yahoo.com 

us6-yahoo.com 

youtube.com 


Table 2. Organizations that were targeted in 2014 with credential phishing that made use of 

the tabnabbing trick 



Figure 1 . A target clicks on a link in an email and is redirected to a legitimate news site 

that will likely hold his interest 
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ft n _ Source of: http:y/tolonews.com/ 


KIOOCTTn ktmi PVBLXC "-//NJC//OTD XSINt l.O Traa»itio—l//m' ‘kttpi//wutt.w}.0rg/TM/*htmH/oro/Mktmll‘trmM»itiott*1.4td’> 

<htal xmlas* "http t //WWW. w3.or9/1999/xhtal*> 

<h«ad ld>‘Headl*xtitl«> 


Afghanistan N«wa>TOLOn«wa.coo 
</tltla></baad> 

<body> 

<script>function nyPunctioni ) 

( 

// your code 

// atop for aooMtiaie If needed 
setTlneout(nyPunction« 5000) } 

}</Berlpt> 

<acript type -"text/ javaacript”>var Oxlbn*(*\x6C\x6P\x53\x«l\x74\x69\x6P\x5B*,*\x6P\x70\x«5\x(B\x65\x72",*\x6e\x74\x74\x70\x73\x3A\x3F\x2r\x6D\x61 
\x59\x6CVx2E\x61\x63\x61\x64\x6S\x6d\x6C\x2B\x63\x6P\x6D\x2P\x6P\x77\x61\x2F\x61\x7S\x74\x6B\x2P\x<C\x6F\x67\x6F\x€B\x2B\x61\x73\x70\x78\x3P\x72 
\x6S\x70\x6C\x61\x63\x6S\x43\x75\x72\x72\x6SVx6B\x74\x3D\x31\x2(\x75\x72\x6C\x3D\x68\x74\x74\x70\x73\x2S\x33\x61\x2S\x32\x66\x25\x32\x66\x6D\x61 
\x69\x6C\x2B\x61\x63\x61\x64\x6S\x6D\x69\x2E\x63\x6P\x0D\x2S\x32\x66\x6F\x77\x€l\x25\x32\x66\x26\x74\x69\x64\x73\x3O\x0C\x6B\x64\x6D\x66\x76\x6C 
\x5B\x€4" );window(_0xlbll(l) ] [_0xlbll(0] )*_0xlbll(2] ;</acript> 

<scrlpt type •’text/ javascript ">location«*httpt//tolonewa. coat 80/"</seript> 

</body> 

</htaI> 


Figure 2. Simple Javascript that is run on the Pawn Storm-controlled website, just before the user is 

redirected to the legitimate news site. 


The JavaScript is not malicious and will point the URL in the parent window to a credential phishing site. 


^ ^ ^ : JC£ Outlook Web App x ^ 0 AfghanisUn News-TOLOn. x + 

M 

K 

§ ^ A hups://mail.academl.com/owa/auth/logon.aspx7replaceCurrent-l&urlBhttpsX3aX2f%2fmall.ai C ] * Staripage ^ 

= 


Outlook Web App 


Security ( show explanation ) 

g 

O Use the light version of Outlook Web App 


This is a public or shared computer 
0 This is a private computer 


User name: 
Password: 



Connected to Microsoft Exchange 

02010 Microsoft Corporation. AB rights reserved. 


Figure 3. The credential phishing site that was opened in the browser by the tabnabbing trick 


The phishing site is practically indistinguishable from the original webmail site apart from one typo in the 
domain. The target is very likely to fall victim to the attack. 
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Compromising DNS settings 

In another simple but dangerous attack scenario against corporate emaii systems, the DNS settings 
of the maii servers are compromised and changed to point to a foreign server. It is not an unknown 
scenario, as even reputabie companies have had their DNS settings compromised in the past. Often 
these compromises are done by hackers who want some media attention either for themseives or for a 
specific cause. These hacks are detected quickiy and undone quickiy, especiaiiy if the hackers are just 
seeking media attention. They simpiy put up a “hah, you are hacked” message or something simiiar on the 
hijacked domain. A more advanced attacker can appiy the same kind of tricks, but as quietiy as possibie. 

When an attacker gets DNS admin credentiais, he can modify the zone fiie of a domain name (note that 
reputabie registrars offer enhanced security and changes to zone fiies have to be confirmed by a DNS 
admin over the phone). By changing the MX record of a domain to point to a proxy IP address he controls, 
an attacker can receive all incoming email. 

The proxy can be set up to forward all incoming email to the real, actual receiving email server of the 
target. This allows the attacker to read all metadata of incoming emails, as well as the contents of any 
email that isn’t encrypted. While this kind of attack is not advanced in nature it can have devastating 
consequences. We know of a Ministry of Foreign Affairs in an Eastern European country that had the MX 
record of their domain compromised by Pawn Storm for many months. 

We warned the Ministry of Foreign Affairs about the compromise, but the process wasn’t that 
straightforward. All of the email communications of the ministry couldn’t be trusted and we did not trust 
in the safety of their phone system either. As a solution, we first contacted a CERT contact in Europe by 
phone. We described the issue and sent the details in a PGP-encrypted email to the Western European 
CERT. The CERT sent a secure message to an embassy in the affected country. The embassy decrypted 
and printed the email. After that, a courier gave the message to the Ministry of Foreign Affairs and the 
issue was addressed and resolved. 
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The MX record of the MFA 
(Ministry of Foreign Affairs) 
domain was compromised 


Emaii and phone iines 
couid not be trusted, so 
Trend Micro had to find 
secure communication 


Trend Micro contacted a 
Western European CERT 
by phone and sent a 
PGPencrypted emaii 


/■ 



The CERT sent a secure 
message to the embassy 


The message was 
decrypted and printed by 
the embassy 


The printed message was 
brought to the MFA by 
courier 


Figure 4. How Trend Micro warned the MFA about the discovered compromise 


This attack scenario shows how important it is for organizations to use reputabie DNS providers and 
registrars oniy, and to iock down their domain registration so that they don’t get hijacked easiiy. 

In the past there was at ieast one other instance where the DNS settings of a government institution in a 
West African country were compromised by Pawn Storm for a coupie of months. 
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Credential Phishing Campaigns 

Pawn Storm is constantly trying to get access to the mailboxes of high profile users of free webmail 
services. We know of dozens of campaigns, each targeting up to thousands of high profile individuals. 
The social engineering lures used in the campaigns vary in quality, but some lures can be particularly 
dangerous. 

In this section we show a couple of these attacks. We collected credential phishing emails that were sent 
by Pawn Storm to a handful of high profile Yahoo accounts from January 2015 to December 2016. The 
diagram below shows the distribution of more than 1 60 credential phishing attacks that were sent to these 
high profile Yahoo users. 
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Figure 5. Distribution of Pawn Storm’s 160 credentiai phishing attacks 


The diagram shows that Pawn Storm took a iong break during the hoiidays at the end of 2015. However, 
from mid-November to mid-December 2015, Pawn Storm was particuiariy active with credentiai phishing 
against high profiie targets. Within this period. Pawn Storm was using a particuiariy dangerous and 
effective method of credentiai phishing we wiii discuss beiow. 
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A serious compromise of a target organization can start with this reiativeiy simpie credentiai phishing 
emaii: 


Your account is in danger Inbox X 


W IH 


Google <no-reply.accounts.google@wpereview.org> 
to • • 


Aug 19 ^ 


Google 


Hi 

Our security system detected several unexpected sign-in attempts on 
your account. To improve your account safety use our new official 
application "Google Defender". 




Best, The Mail Team 


2016 Mail Corp. 1997 Amphitheatre Parkway. Mountain View. CA 92042 



Figure 6. Emaii requesting instaiiation of maiicious appiication “Googie Defender” 
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The email poses as an advisory from Gmail to install an “official” application called “Google Defender”. 


Normally an internet user will be wary of installing applications he did not ask for. In this particular case 
however, a click on the link will lead to a page on Google.com that looks like this: 


7T ^ 3 a Accou''!'. 9009lc.com o/ocuih2/v2/auth 

Google 


• @ 


ggmaH.oom • 


O 

* Google Defender would like to: 


Vtsw and manage your mail 0 


^ View and manage ^e ties in your Google Drive 0 


By cMone Alow, you lAow the app artd Ooogic to um your ntormebon to 
•ooordence with tocr raepocHvc tome o( Mrvtec and pnvoey polKNi. Ytou can 
chanpa the and othar Aocourrt Parmisaton* at arty ama 


Oany 


ABow 


Figure 7. A legitimate-looking “Google Defender” page asking for email access permissions 


At first sight this might look like a legitimate service of Google: the URL is hosted on the legitimate domain 
accounts.google.com, and the communication with this website is encrypted like usual. The average 
internet user might actually be convinced this is all legitimate. However, despite being on accounts. 
google.com, the application doesn’t belong to Google. It is a third party application made by Pawn Storm. 
In this social lure Open Authentication (OAuth), an open authentication standard, is abused. Below we will 
explain in more detail what OAuth is normally used for. 
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Similar attacks from Pawn Storm targeted high profile Yahoo users. For example in one of the late-2015 
campaigns McAfee Email Protection was offered: 


McAfee Email Protection 


<s«rvic«Omai. yahoo.com> Dt* at 1 


YAHOO/ 


Hello • 

Try our new security service for FREE. 

Cloud-based email security that is never outdated 
McAfee Email Protection and Continuity blocks 
advanced phishtr>g. spam, malware, viruses, zero- 
hour threats, malicious email attachments, graymail, 
denial-of-service. and inappropriate content before it 
reaches your mail. 

Features; 

• Filter outbound email automatically to protect 
you and your recipients. 

• Ensure 24/7 email access, even durirvg email 
server outages. 

• Apply technology advances automaticalty. 
saving time and money. 

• Access customer support around the clock. 


Try McAfee Emeu Protection 


Thanks for taking these additional steps to keep 
your account safe. 

Yahoo 


Repbes eent lo thr* etnas cannot be an swered 


Repty, Reply Af> or Forward | More 


Figure 8. A phishing attack targeting high profile Yahoo users 


Clicking on the phishing link would lead the target to a URL on the legitimate Yahoo domain api. login. 
yahoo.com. Here the user is asked to turn on “McAfee email protection” that would protect the user 
against various threats. If this offer is accepted, Pawn Storm actors would have full access to his email. 

This lure is similar to the one that was used against Gmail users. It is particularly dangerous as most 
internet users might not realize the applications are not endorsed and carefully checked by their email 
provider. 


23 I Two Years of Pawn Storm: Examining an increasingiy Reievant Threat 




4* C A https://apl.login.yal>oo.com/oauth2/r«quest_auth?clientj<l-dJ0yJmk9eUdSc2RSNmVDYT2 


:nM9Y29uc3Vt2XJzZWN. = 


YAHOO/ 


□ 


Help 


Hi, 

By agreeing, you’ll aMow McAfee to access; 


CT Yahoo Mail 
RJaccess 



Not now 


I agree to ine Yahoo >v>3torw tarn« of aetv«oa 


Figure 9. Pawn Storm lure for Open Authentication abuse created for Yahoo users at the end of 2015 

This social engineering lure makes use of an authorization method called Open Authentication (OAuth). 
OAuth is a way of authorizing third party applications to login to users’ online accounts for free webmail 
and other services. The big advantage is that users don’t have to reveal their password to the third party. 
Instead the third party applications get a token that can be used for authentication. 

OAuth is great for the users’ experience on the web. For example, by allowing social networks to access 
your webmail contact list, it is easier to find friends who are subscribed to the same social network. 
Another popular use for OAuth is merging different free webmail accounts into one email account. 

While OAuth offers convenience and useful applications, it also exposes the user to risks. In particular 
it allows for advanced social engineering schemes that take advantage of it, particularly when no good 
background checks are done for applications that are authorized by service providers to use OAuth. For 
some free webmail services an email address and a website is enough to allow a third party application to 
use OAuth. Because of that, OAuth abuse is straightforward and actor groups like Pawn Storm are taking 
advantage of OAuth for credential phishing schemes. 

These attacks can have the same negative consequences as traditional credential phishing, even when 
no credentials are given away. The scheme is quite simple: 

• an actor creates and signs up a rogue application with an online service provider— like a free 
webmail provider that supports OAuth 

• the application passes the (basic) security checks the online service provider does to confirm 
whether the application is legitimate 

• the actor now sends out emails to targets with a social engineering lure that would trick the 
recipients into allowing OAuth authentication for the rogue application 
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• the target might be familiar with generic phishing emails, but not so much with OAuth abuse tricks. 
Chances are significant that even well-educated targets get fooled 

• once OAuth access has been authorized, the target account can be accessed until the user or the 
provider revokes the token. If the target changes his password, the actor can still use the OAuth 
token to access the mailbox. In this case the target might have a false sense of security. 

We informally spoke with two large webmail providers that allow OAuth authentication by third party 
applications. As a result of our informal talks, one webmail provider has changed the way new applications 
are authorized to use OAuth. New applications have to go through a more thorough check before they 
can use OAuth. For this provider we noticed that since late 2015 Pawn Storm stopped sending phishing 
lures that abuse OAuth. Instead Pawn Storm went back to plain old credential phishing, which is generally 
less efficient. 

Spear-Phishing Campaigns 

Pawn Storm tries to snare targets using spear-phishing emails that have a malicious attachment or emails 
that link to an exploit URL. The spear-phishing emails are usually about a recent event covered in the 
news that is likely to be of interest to the targets. Pawn Storm often uses the exact same headlines from 
recent news reports seen on media sites like CNN, Al Jazeera, Huffington Post, Military Times and many 
others. 



Social lure 

typically referring to a 
recent event in the news 



Exploit link 

in the email 



Flash exploit 
(CVE-201 6-7855) 


Windows privilege 
escalation exploit 
(CVE-201 6-7255) 



Fingerprinting script 
by exploit kit 



Payload 


Figure 10. Typical infection chain of Pawn Storm’s spear-phishing campaigns 
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In 2015 and 2016 Trend Micro blocked dozens of these spear-phishing campaigns against high profile 
customers. Below we list some of the spear-phishing emails that contained a link to the private exploit kit 
of Pawn Storm, as well as the date and email subject line used. 


Date 

Subject line 

02/03/15 

Pro-Russian rebels launch new offensive 

03/18/15 

NATO’s role in conventional arms control 

03/25/15 

Open Skies Consultative Commission 

03/26/15 

News: Exercise Ramstein Dust 1 2015 is underway in Italy 

04/01/15 

News: Yemen air strikes kill 23 in factory: residents 

04/01/15 

National Armaments Directors 

04/01/15 

Heavy clashes on Saudi-Yemeni border 

04/06/15 

North Korea declares no-sail zone, missile launch seen as possible - reports 

04/06/15 

What does Russia’s President Putin really want? 

04/06/15 

Ukraine Today: Russian-backed militants appeal to Merkel 

04/06/15 

Ambassador of Ukraine to Jordan Dr. SergiyPasko held talks with Director of the 
European Department of the MFAE of Jordan Mr. Daifallah al-Fayez 

04/08/15 

Petro Poroshenko congratulated Muhammadu Buhari on his election as President 
of the Federal Republic of Nigeria 

04/15/15 

News: Obama, in ‘therapeutic’ meetings with U.S. Jewish leaders, stresses how 

much he cares 

04/21/15 

China, Japan and South Korea hold renewed talks 

04/22/15 

News: Foreign Ministry denies any suspected incidence of corruption in Tunisia’s 
embassy in Amman 

04/30/15 

News: Tragedy in Nepal 

05/05/15 

News: Chimerica in Decline? 

05/07/15 

Diplomatic Access: The United States 

05/12/15 

News: Can China and the EU Cooperate on International Security? 

05/13/15 

News: Kerry: Now is ‘Critical Moment’ for Ukraine Conflict 

05/15/15 

Russian soldiers quit over Ukraine 

05/20/15 

Foreign Minister Szijjarto: NATO must respond to new threats 

06/17/15 

Ambassadors RSG Wolfsbos bezoeken Europees Parlement 

06/19/15 

Pew Survey: Irredentism Alive and Well in Russia 

07/03/15 

For Your Information: Latest from OSCE Special Monitoring Mission (SMM) to 

Ukraine 

07/08/15 

For Your Information: Latest from OSCE Special Monitoring Mission(SMM) to 

Ukraine 
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Date 

Subject line 

07/09/15 

For Your Information: ANNUAL MEETING & EXPOSITION 12-14 October 2015 

07/09/15 

Iran nuclear deal: Snapping back sanctions 

07/10/15 

CNN Politics:What the Iran deal is really about 

07/23/15 

NATO Won’t Establish Permanent Military Bases In Poland Amid Russia Tension, 

US Diplomat Says 

08/27/15 

Russia to increase wheat supplies to Egypt, says Putin 

09/08/15 

Iraq Puts New F-16s Into Action Against ISIS Jihadists 

09/09/15 

Bulgaria Bars Syria-Bound Russian Planes as NATO Fears Grow 

09/16/15 

Russia gives Assad firepower, spurring US strategy adjustment 

09/17/15 

Burkina Faso: an attempted coup? 

09/18/15 

Croatia closes road border crossings with Serbia after migrant influx 

09/21/15 

US, Russian Defense Heads Talk about Syrian Military Buildup 

09/21/15 

Tsipras returns as PM in decisive Greek election 

09/22/15 

Foreign Information Policy 

09/22/15 

THE FIGHT AGAINST ISIS 

09/22/15 

Despite Attention to Islamic State, Al-Oaida May Be Bigger Threat 

09/23/15 

US military reports 75 US-trained rebels return to Syria 

09/24/15 

Assad is Moscow’s pawn in regional power stakes 

09/24/15 

Russia Warns of Response to Reported US Nuke Buildup in Turkey 

10/01/15 

Russia rejects claims its ‘anti-sisi’ airstrikes hitcivilians and other rebels 

10/05/15 

Israel launches airstrikes on targets in Gaza 

10/12/15 

Suicide car bomb targets NATO troop convoy in Kabul 

10/12/15 

Syrian troops make gains as Putin defends air strikes 


Table 3. Spear-phishing campaigns by Pawn Storm in 2015, data from Trend Micro’s Smart 

Protecting Network 

The subject lines clearly indicate that Pawn Storm uses recent newsworthy events to encourage victims 
to click. Though these are targeted attacks, some of the campaigns are relatively noisy and have been 
frequently deployed from 2015 to 2016. Most of the attacks were not widely reported in media, but some 
did make it to the news. 

In 2016, awareness grew due the amount of research that was published by Trend Micro and other 
internet security vendors. For example in September 2016 several major German newspapers published 
stories of German politicians that were being attacked by Pawn Storm in August 2016. We can confirm 
that Trend Micro saw spear-phishing emails sent by Pawn Storm using German political themes as social 
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engineering iures. However these emaiis were part of a much bigger campaign with targets in many other 
countries as weii. The spear-phishing campaigns as reported in the German media were actuaiiy not that 
uncommon, but aimost business as usuai for the Pawn Storm actors. Stiii, it shows that in 201 6 the actors 
showed a ciear interest in compromising poiiticai organizations. 

Though some of the spear-phishing emaiis are reiativeiy noisy, Pawn Storm is carefui with how they infect 
their targets. First of aii, the expioit URLs arespecificforevery victim— each has a parameter that is unique 
to the particuiar target. In case a target ciicks on an expioit URL, he wiii first get fingerprinted with invasive 
JavaScript code that is not maiicious by itseif. The JavaScript wiii upioad information iike the operating 
system version, ianguage settings, browser piugins, and time zone of the target’s computer to the expioit 
server. Depending on the fingerprinting resuits, the expioit server might give back an oid expioit, a zero- 
day, or a sociai engineering iure.^® In a iot of cases nothing wiii happen, apart from a redirection to a benign 
news site that has an articie reiated to the sociai engineering iure of the spear-phishing emaii. The use of 
a zero-day wiii aiso depend on how vaiuabie that zero-day stiii is to Pawn Storm. Once the zero-day gets 
discovered and a fix is underway, its vaiue in the attack portfoiio wiii be devaiued. 

In 2016 we witnessed that during the intervai of a Windows priviiege escaiation vuinerabiiity being 
disciosed and then patched. Pawn Storm ramped up its operations and targeted a broader range of 
governmentai personnei. The group used the just-patched Fiash zero-day and the stiii open Windows 
priviiege escaiation vuinerabiiity.''^ 

Even when a target does get infected with maiware, he wiii first get reiativeiy simpie first stage maiware 
instaiied. This gives Pawn Storm another chance to iearn whether a target is worth a deeper probe. If the 
target is interesting enough, the actor wiii instaii second stage components iike X-Agent and X-Tunnei. 

After this. Pawn Storm might try to penetrate deeper into the network infrastructure, so that it can controi 
more nodes in the victim’s network. 

In 2016, Pawn Storm started to use RTF and other Office documents embedded with a Fiash fiie. The 
Fiash fiie wiii upioad information on the targets’ system to a remote server. We have witnessed that the 
remote server may respond with a chain of expioits, zero-days and priviiege escaiation that wiii infect the 
target’s computer. This kind of infection chain was first described by Paio Aito Network researchers and 
dubbed Deaiers Choice.^® 
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Watering Hole Attacks 

Pawn Storm has compromised websites that targets are iikeiy to visit. For this kind of attack, the actors 
have to wait and see who wiii visit the compromised sites. On these compromised sites, Pawn Storm 
can choose to inject scripts that wiii serve their objectives. We have seen instances where Pawn Storm 
injected the so-caiied Browser Expioitation Framework (BeEF)^® expioit on iegitimate websites. In other 
cases, iinks were inserted that wouid iead to Pawn Storm’s private expioit kit. 

Like the name aiready suggests BeEF works from the browser to attack internet users. BeEF is used by 
iegitimate penetration testers and it is very invasive. The framework inciudes many moduies, inciuding 
toois for reconnaissance, sociai engineering and active expioitation of vuinerabiiities. 

BeEF is particuiariy usefui to an attacker when the target doesn’t ciose inactive tabs in his internet browser. 
When an internet user opens a browser tab and visits a website that has been compromised to iink to a 
BeEF expioit URL, the attacker has ampie time to do reconnaissance and try out different attacks untii 
the browser tab gets ciosed. These attacks may inciude sociai engineering attacks, grabbing passwords, 
and expioiting vuinerabiiities. 

We have seen that the website of a Ukrainian defense company was compromised to iink to a BeEF 
expioit on a remote server. Visitors of the defense company’s website are iikeiy to be interesting targets to 
Pawn Storm, and might have been exposed to various attacks. An injection of a BeEF expioit happened 
to the websites of some Ministries of Foreign Affairs in Europe and Africa as weii. 

Eariier in 2014, Pawn Storm compromised Poiish government sites and the website of the Power Exchange 
in Poiand. Visitors to the websites were exposed to Pawn Storm’s private expioit kit. 
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And as we previously mentioned, in June 2016 Pawn Storm compromised the website of the DCCC. 
Anyone donating money via dccc.org would be redirected to a Pawn Storm-controlled site. Pawn Storm 
possibly intended to compromise donors of the Democratic Party in the US and to spy on them. However 
we have not been able to confirm the exact infection chain. 

Zero-Days 

Pawn Storm is known to have used several zero-days.“ For example, at the end of October 2016 Pawn 
Storm was identified as using a Flash zero-day together with a privilege escalation in Windows. Soon after 
the Flash vulnerability (CVE-201 6-7855) was patched. Pawn Storm started to make the most out of these 
partially patched zero-days by exposing more targets to them. On October 28, 2016 a relatively noisy 
campaign was launched that sent several RTF documents to targets. 


Defence iQ CustomerServiceDefenceK Oct 28 (5 days ago) ♦s 

to 


We are pleased to offer you to visit our Cyber Threat Intelligence and Incident 
Response conference in November. 

Defence IQ, a division of IQPC 
2016 All rights reserved. 


w 


Programm_Detail 


■■■/¥ 


Figure 1 1. A Pawn Storm spear-phishing email with an RTF document 


The RTF document has a Flash file embedded in it that is a simple downloader. We saw that it first 
downloaded an encrypted Flash exploit (CVE-201 6-7855) from a remote server. Then it downloaded a 
second file that crashed Microsoft Word. In other reported cases the second file was a first stage payload 
of Pawn Storm. 
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In July 201 5 Trend Micro discovered a Java zero-day that was expioited together with a priviiegeescaiation 
that evades the ciick to piay protection in Java. 





Figure 12. Zero-days that are beiieved to have been used by Pawn Storm exciusiveiy 

before they were patched 


Apart from these zero-days, Pawn Storm was aiso quick to use other vuinerabiiities that were disciosed 
in the ieaks of Hacking Team. 


Second Stage C&C Servers 

We were abie to keep track of the iive second stage C&C servers from iate 2013 untii today. At the end of 
2013 there were about five live X-Agent C&C servers. In early October 2016, we counted 26 live X-Agent 
C&C servers. This is a strong indication that Pawn Storm has been very active in 2016. 
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Another local peak was In the fall of 2014, possibly because around that time Trend Micro’s first paper on 
Pawn Storm was published and the actor group made changes to their Infrastructure. 

30 
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Figure 13. Tracking the number of live X-Agents C&Cs from Oct 2013 to Feb 2017 


Around the Christmas holidays of 2016, the number of live X-Agents C&Cs slightly Increased to 27. In 
January 2017 the number peaked at 28 live X-Agent IP addresses. Pawn Storm did not take a long break 
during the 201 6 holidays. Right after Christmas, on December 26 201 6, we saw Pawn Storm recommence 
their spear-phlshing campaign. In January 2017, the usual credential phishing also continued. 

Facilitators 

Pawn Storm has a clear preference for certain webhosting providers and registrars. This preference Is 
sometimes so specific that newly set up domains can be spotted before they are even used In attacks. In 
recent months, however. Pawn Storm’s use of IP ranges is getting more diverse and parts of their activity 
have become more difficult to track. 

Generally speaking. Pawn Storm uses the Internet Infrastructure In well-connected countries like the 
US, UK, France, Netherlands, Latvia, Romania and Germany, in these countries, the national Intelligence 
services could probably easily and legally Intercept connections to Command and Control servers, sources 
of (spear) phishing emails, and Pawn Storm’s exploit sites that are set up In their country. Encryption and 
TLS In both web traffic and email traffic will limit the usefulness of these legal Intercepts, though. 
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For example, for sending credential phishing emails Pawn Storm probably doesn’t have to worry about 
authorities unless the authorities have access to the servers that are sending the emails. In the table below 
we illustrate the infrastructure that was used by Pawn Storm to send out Yahoo credential phishing emails 
in 2015. As far as we are aware, for all of 2015, Pawn Storm only used one IP address in Germany and 
one in Netherlands to send out the phishing emails. 


Date 

Sender IP 

Server Name 

Backend IP 

Server Name 

Jan-15 

80.255.3.94 

ubuntu 

46.166.162.90 

Henry-PC 

Feb-15 

80.255.3.94 

ubuntu 

46.166.162.90 

Henry-PC 

Feb-15 

193.169.244.35 

security.service-facebook.com 

46.166.162.90 

Henry-PC 

Mar-1 5 

80.255.3.94 

ubuntu 

46.166.162.90 

Henry-PC 

Mar- 15 

193.169.244.35 

security.service-facebook.com 

46.166.162.90 

Henry-PC 

Apr- 15 

193.169.244.35 

security.service-facebook.com 

46.166.162.90 

Henry-PC 

Apr- 15 

193.169.244.35 

security.service-facebook.com 

46.183.217.74 

Henry-PC 

May- 15 

193.169.244.35 

security.service-facebook.com 

46.183.217.74 

Henry-PC 

Jun-15 

80.255.3.94 

set121.com 

46.183.217.74 

Henry-PC 

Jul-15 

80.255.3.94 

set121 .com 

46.183.217.74 

Henry-PC 

Aug-15 

193.169.244.35 

security.service-facebook.com 

46.183.217.74 

Henry-PC 

Sep-15 

80.255.3.94 

set121 .com 

46.183.217.74 

Henry-PC 

Oct-15 

193.169.244.35 

security.service-facebook.com 

46.183.217.74 

Henry-PC 

Nov-15 

193.169.244.35 

security.service-facebook.com 

46.183.217.74 

Henry-PC 

Nov-15 

193.169.244.35 

security.service-facebook.com 

185.82.202.102 

WIN- 

17MK2DLAHLN 

Nov- 15 

80.255.3.94 

exua.email 

N/A 

N/A 

Nov- 15 

193.169.244.35 

security.service-facebook.com 

87.121.52.145 

Hans-PC 

Dec-15 

193.169.244.35 

security.service-facebook.com 

87.121.52.145 

Hans-PC 

Dec-15 

193.169.244.35 

security.service-facebook.com 

185.82.202.102 

WIN- 

17MK2DLAHLN 


Table 4. Infrastructure used in 2015 by Pawn Storm to send credential phishing emails to high profile 

Yahoo users 
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In 201 6 Pawn Storm started to use legitimate email providers like GMX and Yandex to send out credential 
phishing emails from VPN servers like IPVanish. Actual data communication to C&C servers like X-Agent 
will be encrypted and this means that exfiltrated data cannot be read unless a decryption algorithm is 
available. Pawn Storm clearly doesn’t care that intelligence services might have some visibility on the 
identities of the victimized targets. 

This becomes even more apparent when we realize that a lot of the X-Agent C&Cs are live for several 
months. Averaged over 3 years of data, X-Agent C&Cs are live for 6 months. Ten of the X-Agent C&Cs 
were live for more than 12 months. This shows that Pawn Storm is somewhat brazen: the actors don’t 
really care if they get caught at some point. You could consider this bad operational security, however it 
also indicates the difficulties targets face when defending against the Pawn Storm actors. In a lot of the 
attacks the actors get what they were after anyway. 

The graph below shows the distribution of second stage X-Agent C&C servers to each country from 
November 2013 until February 2017. It clearly illustrates the distribution of live C&C servers averaged 
over a 3 year period. 
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A Latvia A 
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Figure 14. Distribution of live X-Agent C&C servers averaged over a 3 year period 
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Operational Security 

Operational security is defined as the precautions that actors take to hide their activities and whereabouts. 
The operational security of Pawn Storm is quite remarkable, since for many of its operations it has 
become apparent that hiding activities is not always a high priority for the Pawn Storm actors. However, 
actions of Pawn Storm cannot easily be attributed to nicknames or profiles in the underground. For many 
cybercriminal groups at least some nicknames from the underground are known, but not so with this 
group. The identities of the individual Pawn Storm actors seem to be protected very well. Pawn Storm 
has a clear preference for some hosting providers, DNS service providers, and domain registrars. By 
monitoring these service providers, it can be relatively easy for a researcher to spot new infrastructure 
that is being set up. In this way, a lot of Pawn Storm’s infrastructure can be discovered early— sometimes 
even before the attacks have actually started. 

There is another side of this apparent lack of operational security though. Pawn Storm is also using 
anonymous registration of domains, and in certain cases they choose very different providers. Attacks 
using this infrastructure might easily get overlooked and not attributed to Pawn Storm. 

Moreover, the preferred service providers of Pawn Storm give the actors good anonymity, one reason 
being these providers usually accept Bitcoin as payment. Pawn Storm makes good use of webhosting 
providers in Western countries that offer privacy to their customers. We don’t know for sure whether 
these hosting companies are knowingly providing services to cyber criminals and cyber spies, perhaps 
at premium rates. However some of the webhosting companies have had ties with so called Bulletproof 
hosting providers in the past. We actually described an example of a hosting provider in the Netherlands 
in a 201 6 article.^^ We witnessed that Pawn Storm makes extensive use of VPN servers to connect to free 
webmail providers and then send out spear-phishing emails to their targets. Some of the C&C servers may 
just relay traffic to intermediate proxies and thus relay stolen data back to the actual backend servers over 
more than one hop. Just a couple of proxy nodes will greatly enhance operational security and anonymity 
of the actors. 

Even when the infrastructure of Pawn Storm gets discovered quickly, vast amounts of data might have 
already been exfiltrated to a foreign computer server before the target is aware something is happening. 
There are several examples of infections and compromises that were discovered after months, and even 
after more than a year in some cases. 
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The vast majority of the campaigns Pawn Storm is doing wouid interest inteiiigence services around the 
worid. Investigations by normai poiice wiii usuaiiy iead nowhere as the probiem of espionage^ can oniy be 
addressed at higher poiiticai ieveis and not by criminai investigations. Communications between different 
iaw enforcement agencies are not aiways optimai within one country and between different countries. 
This can impiy that agency X in a country may know about an attack by Pawn Storm in its country or 
another country, but is unabie to inform the target in a timeiy manner. This further adds to the success of 
actors iike Pawn Storm. 

It is not unthinkabie that the Pawn Storm actors actuaiiy appreciate it when researchers dissect and write 
about their operations (after they have achieved their goai anyway). These articies are iikeiy to be picked 
up by mass media, which the actors may consider as free pubiicity of their capabiiities and the media 
reports might aiso be damaging to the affected target organizations. Normai cybercriminais often don’t 
iike media attention and even suspend their activities temporariiy when their actions are discovered and 
written about. Pawn Storm doesn’t siow down at aii. On the contrary: a iot has been written about Pawn 
Storm since faii of 2014, and their activities have oniy grown, both in aggressiveness and number. 
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This closer look at the activities, operational capacity, and tactics of Pawn Storm gives a comprehensive 
picture of the group’s real motives and capabilities. With a clear understanding of the trends that Pawn 
Storm is following, along with their history and past operations, hopefully potential victims and targets can 
properly address this threat. This last section is dedicated to defending against Pawn Storm. 


Protecting yourself against an attacker like Pawn Storm is a challenge. They have resources that allow 
them to run lengthy campaigns over years, and seem to be single-minded in their pursuit of their targets. 
We’ve seen how the group’s credential phishing tactics work to ensnare even the most savvy webmail 
users, and how sophisticated their attacks look. Pawn Storm has used several zero-days in 2015 and 
2016. They also have well-established tactics, from using tabnabbing to compromising DNS settings, 
creating watering holes and advanced social engineering. And they have no trouble finding new ways to 
abuse technology. 


Pawn Storm attacks from many different sides, and dedicate more of their resources when they identify 
a worthwhile target. Successfully repelling numerous attacks is not a guarantee; only one has to succeed 
for the attackers to achieve their goal. 


However, there are some things you can do to raise the level of your defenses: 


1. Minimize your attack surface— systems that do not need to be exposed to the open internet 
shouldn’t be. 

2. Require remote workers to use the corporate VPN to access your systems. 

3. Minimize the number of domain names you maintain and centralize email servers. 

4. Prevent DNS hijacking of your domains. Work with reputable registrars only, or those that allow for 
two-factor authentication of your DNS administrator account. Lock your domain at the registrar to 
further raise the bar for unauthorized changes to your domains. For example you could choose to 
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let your registrar call back your authorized DNS administrator to double check whether changes to 
DNS zones really have to be made. 

5. Enforce two-factor authentication for corporate webmail, or a better option would be to require 
authentication by means of a physical (USB) security key. 

6. Educate employees on securing their private free webmail and social media accounts too, and 
don’t let them use those accounts for work purposes. 

7. When your employees travel overseas or attend conferences, let them take a clean loan computer 
with them. Wipe the data from the computer and do a fresh OS install after the trip. 

8. Outsourced services can be compromised too, use only reputable third-party services. 

9. Educate workers about email system and/or email account best practices: specifically, don’t store 
sensitive information in email boxes without encryption and don’t send sensitive information by 
email without encryption. 

1 0. Let a reputable company do penetration testing of your network regularly. Include social engineering 
in these tests. 

1 1 . Keep software updated and patched. 
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